Linux Remote Connection Tool-OpenSSH

Linux Remote Connection Tool-OpenSSH

During our daily server management and maintenance processes, we all need to use the remote connection tool. Today we will summarize the commonly used secure remote connection tool OpenSSH in Linux.

Remote logon Protocol]

1. telnet: a member of the TCP/IP protocol family. It is the standard protocol and main method of the Internet remote login service. It provides users with the ability to complete remote host work on local computers. Port 23 of TCP is used by default. It adopts the C/S architecture. During User Login, the transmitted information is in plain text and cannot be guaranteed. Therefore, telnet is not recommended.

2. ssh: Short for Secure Shell, developed by the IETF network team. SSH is a security protocol established on the application layer and transport layer. SSH is a reliable protocol designed for remote logon sessions and other network services. The SSH protocol can effectively prevent information leakage during Remote Management. Port 22 of TCP is used by default, which is also based on the C/S architecture. SSH has two versions: v1 and v2.

Sshv1: Based on CRC-32 MAC (message digest authentication), is not safe, it is strongly recommended not to use;

Sshv2: the safest MAC mode is selected based on mutual host negotiation. It has the following features: 1. the encryption and MAC mechanisms are selected through mutual negotiation; 2. Key Exchange Based on DH, identity Authentication Based on RSA or DSA; 3. The client checks the host key of the server to determine whether the communication can continue;

[OpenSSH overview]

OpenSSH is a set of connection tools used to securely access remote computers. It can be used as a direct replacement for rlogin, rsh rcp, and telnet. Furthermore, any other TCP/IP connection can be tunneling/forwarded securely through SSH. OpenSSH encrypts all transmission data to effectively prevent eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the OpenBSD project.

The logon process is similar to a session created using rlogin or telnet. During connection, SSH uses a key fingerprint system to verify the authenticity of the server. Only when you connect for the first time, you are required to enter yes for confirmation. Then, the connection verifies the pre-stored key fingerprint. If the fingerprint is inconsistent with the one received during logon, a warning is given. The fingerprint is saved in ~ /. Ssh/known_hosts, for SSHv2 fingerprint, It is ~ /. Ssh/known_hosts2.

By default, a newer version of OpenSSH only accepts SSHv2 connections. If version 2 can be used, the client program will automatically use it; otherwise, it will return version 1 mode. In addition, you can use the command line parameter-1 or-2 to forcibly use version 1 or 2. To maintain the Client Version 1 capability, we recommend that you use version 2 whenever possible to consider compatibility of earlier versions.

[SSH server and client workflow]

OpenSSH uses the C/S architecture:

Server tool (S): sshd

Client tool (C): ssh command, putty, xshell, securecrt, sshshellclient;

[OpenSSH client component-ssh]

Configuration text:/etc/ssh/ssh_config
Usage:
Ssh [username @] host [COMMAND] or ssh-l username host [COMMAND]
-P PORT: Specifies the remote server PORT;
-L username: Specifies the user logging on to the remote host. If this parameter is not specified, the current user is used;
Username @: equivalent to-l username;
If the COMMAND is set, the user logs on to the remote host using the username account to execute a specified COMMAND and return the result, instead of staying on the remote host;
[Root @ www ~] # Ssh 192.168.0.110 # Use the root user to log on;
The authenticity of host' 192. 168.0.110 (192.168.0.110) 'can't be established.
RSA key fingerprint is 01: 2e: 43: cc: bc: 1d: f1: e5: f0: f4: 89: 78: 74: a9: 49: 44.
Are you sure you want to continue connecting (yes/no )? Yes # The first connection requires manual confirmation;
Warning: Permanently added '192. 168.0.110 '(RSA) to the list of known hosts.
[Email protected]'s password: # enter the password of the root account of the remote host;
Last login: Mon May 11 16:44:52 2015 from 192.168.0.104
[Root @ mailCentOS6 ~] # The logon is successful. The remote host name is mailCentOS6;
[Root @ mailCentOS6 ~] # Ls # display files in the root directory of the remote host;
2. sh boot. iso install. log sdb. mbr test1
Anaconda-ks.cfg crontab install. log. syslog \ temp \ test
[Root @ mailCentOS6 ~] # Exit # log out;
Logout
Connection to 192.168.0.110 closed.
[Root @ www ~] # Ssh [email protected] ls # Use root to log on to the remote host, execute the ls command once, and exit after returning the result;
[Email protected]'s password: # For the second connection, you do not need to enter yes. Simply enter the password;
2. sh
Anaconda-ks.cfg
Boot. iso
Crontab
Install. log
Install. log. syslog
Sdb. mbr
\ Temp \ test
Test1
[Root @ www ~] # Have you seen that we are not currently logged on to the remote host;

[OpenSSH server component-sshd]
Configuration File:/etc/ssh/sshd_config (you can modify the default listening port and other parameters of ssh by modifying this file)
Service Script:/etc/rc. d/init. d/sshd
Service start | stop | restart: serveice sshd start | stop | restart
Script configuration file:/etc/sysconfig/sshd

Configuration parameters
# Man sshd_config;
# Vim/etc/sysconfig/sshd modify the configuration parameters by editing the configuration file;
# + Space + text: the line starting with this format represents the behavior change comments;
# + Text: the line starting with this format indicates that the option can be enabled. If it is not changed, the default setting of this option is used. Otherwise, use the set value "#" to remove it!
For example, if # Port 22 is not removed # And 22 remains unchanged, the default Port 22 is used;
If you change # Port 22 to port 7777, the listening Port of sshd is changed to 7777;
Note: After modifying parameters and configurations, you must restart the service (sshd restart ).
Parameters that need to be modified frequently:
[Root @ www ~] # Cat/etc/ssh/sshd_config
# $ OpenBSD: sshd_config, v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# Sshd_config (5) for more information.

# This sshd was compiled with PATH =/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped
# OpenSSH is to specify options with their default value where
# Possible, but leave them commented. Uncommented options change
# Default value.

# Port 22 # modify the default listening Port;
Port 7777 # change the listening port of sshd to 7777;
# AddressFamily any # The listening address family, which specifies whether the listening is on IPV4 or IPV6, and any indicates all;
# ListenAddress 0.0.0.0 # specify the listening address (0.0.0.0 indicates all the addresses of the Local Machine );
# ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# Installations. In future the default will change to require explicit
# Activation of protocol 1
Protocol 2

# HostKey for protocol version 1
# HostKey/etc/ssh/ssh_host_key # use the host key used by shhv1;
# HostKeys for protocol version 2
# HostKey/etc/ssh/ssh_host_rsa_key
# HostKey/etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
# KeyRegenerationInterval 1 h
# ServerKeyBits 1024 # key length;

# Logging
# Obsoletes QuietMode and FascistLogging
# SyslogFacility AUTH
SyslogFacility AUTHPRIV
# LogLevel INFO

# Authentication:

# LoginGraceTime 2 m # login grace period;
# PermitRootLogin yes # whether to allow the Administrator to log on directly;
# StrictModes yes
# MaxAuthTries 6 # maximum number of password input errors;
# MaxSessions 10 # maximum number of sessions;

# RSAAuthentication yes # whether to allow RSA Authentication;
# PubkeyAuthentication yes
# -------- Configuration Parameter slightly unchanged in the middle ----------

Subsystem sftp/usr/libexec/openssh/sftp-server # indicates whether the sftp function is enabled;

# Example of overriding settings on a per-user basis
# Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

Sshd authentication method:
1. Password-based authentication;
2. Key-based authentication;
# Ssh-keygen-t rsa uses the rsa algorithm to generate a key. The default key is id_rsa (Private Key) and id_rsa.pub (Public Key)
# Ssh-keygen-f/path/to/somefile-P oldpassword generate a key based on the existing key file
-F/path/to/somefile: the location where the key file is stored;
-P': Specifies the password used to generate the old key;
Method 1: copy the Public Key id_rsa.pub generated by the local host to the remote host using scp, and use cat id_rsa.pub> on the remote host. ssh/authorized_keys append the public key information to achieve ssh Login based on key authentication;
Method 2: # ssh-copy-id-I. ssh/id_rsa.pub USERNAME @ HOST
[Root @ www ~] # Ssh-keygen-t rsa # generate a key using the rsa algorithm;
Generating public/private rsa key pair.
Enter file in which to save the key (/root/. ssh/id_rsa): # specify the key storage path and name. Generally, this parameter is not required.
# Modify and press Enter;
Enter passphrase (empty for no passphrase): # Enter the private key and password;
Enter same passphrase again: # Enter the private key and password;
Your identification has been saved in/root/. ssh/id_rsa.
Your public key has been saved in/root/. ssh/id_rsa.pub.
The key fingerprint is:
C2: f9: c2: 3d: 4d: ca: 52: 39: 7a: a7: 33: de: 42: 11: d3: 8f [email protected]
The key's randomart image is:
+ -- [RSA 2048] ---- +
|. |
| O. |
| O |
|... E. |
| + S... |
|. B. = |
| =. B o |
| ++ = |
|. O +. |
+ ----------------- +
[Root @ www ~] # Ssh-keygen-f. ssh/id_rsa-p' # regenerate the key based on the existing key file;
Generating public/private rsa key pair.
. Ssh/id_rsa already exists.
Overwrite (y/n )? Y # indicates whether to overwrite the data;
Your identification has been saved in. ssh/id_rsa.
Your public key has been saved in. ssh/id_rsa.pub.
The key fingerprint is:
Bf: 55: f0: 0b: a5: ee: 4e: 4a: 1d: d3: b1: 0e: 66: ee: 55: 9b [email protected]
The key's randomart image is:
+ -- [RSA 2048] ---- +
|
|
|. O |
| * O |
| S o =. |
|. * B oo |
| O * + E |
|. B. |
| O. + |
+ ----------------- +
# ----- Method 1: implement identity authentication through the key file (No Password is required )-----
[Root @ www ~] # Scp. ssh/id_rsa.pub [email protected]:/root/# Use the spc command to copy the public key file to the remote
#. Ss/path under the user's home directory of the host;
[Email protected]'s password: # enter the password for logging on to the remote host;
Id_rsa.pub 100% 397 0.4KB/s # indicates that the copy is successful;
[Root @ mailCentOS6 ~] # Ls. ssh/# verify that the file is copied successfully;
Id_rsa.pub known_hosts
[Root @ mailCentOS6 ~] # Touch. ssh/authorized_keys # If no key file is automatically verified in the path, create one;
[Root @ mailCentOS6 ~] # Cat. ssh/id_rsa.pub>. ssh/authorized_keys # append the public key to the automatically verified key file;
[Root @ www ~] # Ssh 192.168.0.110
Last login: Mon May 11 20:45:10 2015 from 192.168.0.111
[Root @ mailCentOS6 ~] # OK. No. You can log on remotely without entering the password !!

# ----- Method 2: implement identity authentication through the key file (No Password is required )-----
[Root @ mailCentOS6 ~] # Rm-f. ssh/authorized_keys # Delete the original automatically verified key file;
[Root @ www ~] # Ssh-copy-id-I. ssh/id_rsa.pub [email protected] # Use the command to automatically generate an automatic verification key file;
[Email protected]'s password:
Now try logging into the machine, with "ssh '[email protected]'", and check in:

. Ssh/authorized_keys # The file generated is prompted;

To make sure we haven't added extra keys that you weren't expecting.

[Root @ www ~] # Ssh 192.168.0.110 # verify if you can log on;
Last login: Mon May 11 21:02:29 2015 from 192.168.0.111
[Root @ mailCentOS6 ~] # Ls. ssh/# No. We have logged on to the mailCentOS6 host;
Authorized_keys known_hosts

[Command supplement]

Scp: A Tool for Secure File Transfer between hosts using the ssh protocol
Scp SRC1. .. DEST
There are two scenarios:
1. The source file is on the local machine and the target is a remote host.
# Scp/path/to/somefile... USERNAME @ HOST:/path/to/somewhere
The source can be a directory or multiple files, and the target must be a directory.
2. The source file is remote and the local file is the target
# Scp USERNAME @ HOST:/path/to/somewhere

-R: used to copy directories (implement recursive replication). scp cannot copy directories by default;
-P: preserve the metadata of the source file, including mode and timestamp.
-Q: In silent mode, no status information is displayed during the replication process;
-P PORT: Specifies the PORT for listening to the ssh protocol (remote host ).

--------------------------------------------------------------------------------
Okay. I will summarize the above. If there are any problems, please take a look at Hai Han. Thank you ~!!~

Install and configure OpenSSH in Ubuntu Server 13.10

Install OpenSSH remotely on Ubuntu

Solve the latency problem during remote login through OpenSSH

Offline installation of OpenSSH in Ubuntu 12.10

OpenSSH upgrade steps and precautions

Solutions for failures of common OpenSSH users

General thread: OpenSSH key management, Part 1 Understanding RSA/DSA authentication

Install OpenSSH and configure the sftp lock directory for RedHat

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: